Next-generation Digital Forensics: Expanding the Toolkit

The right forensic tool can search for and identify key evidence hidden in mobile apps.

Many investigative teams face an extreme case backlog, reaching upward of 2 to 3 years. As we know, digital devices and evidence play an increasingly important role, and the techniques used to capture and analyze data as evidence in criminal cases is evolving quickly. These new approaches give the broader investigative team an opportunity to identify priority data more quickly, analyze the evidence in an easy-to-digest format, and, ultimately, accelerate the investigative process.

These techniques include taking an artifact-first approach; providing law enforcement teams with the ability to connect pieces of evidence to one another; use machine learning to automate time- and labor-intensive tasks; identify unsupported evidence sources; and provide emphasis on investigative collaboration.

Mobile first: managing smartphone artifacts

With mobile devices now the primary—if not the only—way many people connect to the internet, conduct business and communicate with loved ones, law enforcement teams need a set of forensic tools to recover the deepest artifacts from the widest variety of devices and verify that no evidence was missed.

It’s valuable, therefore, to have tools that can ingest forensic images from most acquisition methods including full or partial logical images; physical (raw binary) images obtained through JTAG, chip-off, or in-system programming (ISP) extractions; custom recovery flashing; and backups from iTunes and Android debugging (ADB).

Once ingested, these images require an advanced carving engine to obtain files like the SQLite write-ahead log (-wal) and shared memory (-shm) files, as well as pictures and video. For the latter kinds of files, which can be key in mobile child exploitation cases, integration with a tool such as Griffeye AnalyzeDI can help identify known and unknown child sexual abuse material.

Another mobile forensic requirement is the ability to search images or file dumps from iOS and Android devices for SQLite databases, use heuristics to identify the structure and relevant data within common fields in each app category, and derive meaning and context from content. Proper analysis of mobile apps—social, utility, photo, video, gaming, travel and more—can reveal geolocation data, web activity, or contact databases crucial to an investigation. The right forensic tool can search for and identify key evidence hidden in these applications, as well as help clarify where someone was, what they were doing, and with whom they were doing it.

Bringing cloud data back to earth

With device encryption increasingly hindering physical acquisitions, access to data stored in the cloud—including backups, chat histories and account information—is frequently needed. Forensic tools need to capture and analyze cloud data together with smartphone, computer, Internet of Things (IoT), and third-party image data and aggregate into a single case file. Data retrieval from services including Facebook Messenger and timeline, Office 365, Google apps, iCloud, DropBox, Instagram, Twitter, YouTube, Hotmail, Outlook, and Skype for Business, as well as support for two-factor authorization for both iCloud and Google cloud services are especially valuable.

Telling the story of digital evidence

In digital forensics, demonstrating attribution—using operating system artifacts to prove that the suspect had knowledge of the document or image files found on a device—is one of the key elements of building a case—the ability to tell an evidentiary story is even better. How did a file get here? Where did it go—to whom and from whom? This can be especially important when a suspect denies knowing anything about the contraband or illicit files.

Artifact relationship analysis goes beyond traditional “call chain analysis” that visualizes relationships only between people. It applies the same concept to files and operating system artifacts, helping a forensic examiner to visualize relationships within artifacts and across evidence sources—mobile devices, computers, and even cloud-based accounts.

By automatically tracing the movement of files between systems and devices, artifact relationship analysis enables forensic examiners to quickly build a story of where evidence came from, including the context around where it is currently located, how it was shared, and with whom, building the timeline and story of user activity. Altogether, these artifacts can provide attributions for things you see and don’t see, to prove that they existed and were accessed even if they no longer reside on a system or device.

Artificial intelligence is powerful enough to process chat conversations and identify those that should be further examined for child luring. Photo: Andrew Neel via Unsplash

Using AI to identify victims of child predators

When it comes to identifying victims or potential victims of child predators, investigators often face an uphill climb. Because luring, or grooming, often happens over chat apps (and chat features within), thousands or even millions of messages, may need to be searched in a short period of time.

Even when a team finds relevant evidence quickly, it can be difficult to take time to evaluate these messages individually, resulting in human error such as missing a key piece of evidence or mistaking true and false positives.

Artificial intelligence is powerful enough to process massive amounts of chat conversations and messages from computers, mobile devices, and cloud accounts to identify those that should be further examined for child luring. It improves the triage process by helping examiners to focus their efforts more accurately and precisely, saving time and reducing the risk of human error in missing messages.

The need for easy, portable case collaboration

The ability to share and collaborate on a case with other stakeholders and to include all the digital evidence that has been acquired is crucial to good case-building. It helps paint the whole picture of the evidence, helping investigators to analyze all retrieved content in the form of artifacts, without needing the original source evidence.

With the mass volumes of smartphones and laptops being delivered to digital forensics teams, labs, or solo examiners, it is important to have a single primary case file that allows multiple people to share the workload more easily.

Team members can examine files relating to their expertise and then merge their findings back into the main case. This is a great way to delegate the time-intensive analysis and move through the case more quickly, while still maintaining case and evidence integrity.

Between smartphones, the cloud, and other data sources, the ability to collect, analyze, connect and report on digital evidence is crucial to the toolkit approach that ensures you have access to the evidence needed to build solid cases. ●

Christa Miller is a content specialist at Magnet Forensics. Along with a background in trade journalism and fiction writing, Christa brings years of experience in digital forensics—and a variety of creative and research techniques to Magnet Forensics, producing a broad variety of content.